Attackers armed with a seemingly unlimited number of 0day exploits, report says.

The hackers who breached the defenses of Google and at least 34 other big companies three years ago have unleashed a barrage of new attacks since then, many that exploit previously undocumented vulnerabilities in software from Microsoft and Adobe, a new report has found.

The number of victims affected, the duration of the campaign, and the difficulty of identifying and exploiting so-called zero-day vulnerabilities mean the resources required "could only be provided by a large criminal organization, attackers supported by a nation state, or a nation state itself," the report (PDF), which was prepared by researchers from antivirus provider Symantec, concluded. Targets over the last three years have mainly been located in the defense, energy, and finance industries and educational and non-governmental organizations.

Most significant about the group is "seemingly an unlimited number of zero-day exploits," which refer to vulnerabilities in widely used software that are exploited before there's public knowledge that they exist. Using an infrastructure Symantec researchers have dubbed Elderwood—a name derived from a variable found in some of its software—the hackers have exploited four zero-day bugs this year alone, and evidence suggests the group has wielded another four zero-days over the past two years. The use of so many previously undocumented vulnerabilities indicates the group has an extremely high level of technical capability.

"In order to discover these vulnerabilities, a large undertaking would be required by the attackers to thoroughly reverse-engineer the compiled applications," the researchers wrote. "This effort would be substantially reduced if they had access to source code. The vulnerabilities are used as needed, often within close succession of each other if exposure of any of the vulnerabilities is imminent."

Update: Some security experts were skeptical of Symantec's conclusions. Finding and exploiting previously unknown vulnerabilities is a regular undertaking during penetration testing that's often carried out to success in a matter of hours or days.

"The fact that they use 0days isn't as big a deal as Symantec makes it out to be," said Rob Graham, CEO of penetration testing firm Errata Security. "We constantly find '0days' as part of pentests and use them against our customers. Just the other day, we used a 0day SQL injection bug in [popular manufacturer's name deleted] firewall to break into a customer."

There's no reason to think the attacks tracked by Symantec couldn't have been carried out by a much smaller operation with more modest resources, Graham said.

The group's attacks date back at least to early 2010 or late 2009, when it exploited a zero-day vulnerability in Microsoft's Internet Explorer browser to pierce the defenses of Google and other large companies. With their malware inside Google's network, the attackers siphoned source code and other intellectual property of the company. Few if any of the other victims confirmed they were hit, but researchers widely believe their digital assets were also appropriated en masse.

The trojan that was installed by the exploits was alternately known as Aurora and Hydraq. It used a certain type of obfuscation to cloak its malicious behavior. Symantec researchers have found that same obfuscation technique deployed in trojans that malware operators installed by exploiting zero-days discovered earlier this year in Adobe's Flash Player (cataloged as CVE-2012-0779) and Internet Explorer (CVE-2012-1875).

The researchers found additional attributes linking other exploits to the same actors, such as similarities in the command and control channels that infected computers contacted to receive instructions and software updates. Another link was the practice of compromising third-party websites that were frequently visited by the ultimate targets of the attacks, for example, manufacturers in the defense supply chain or the Hong Kong branch of Amnesty International that was regularly visited by non-governmental organizations.

Researchers have dubbed this approach "watering hole" attacks, and say they're "similar to a predator waiting at a watering hole in a desert. The predator knows that victims will eventually have to come to the watering hole, so rather than go hunting, he waits for his victims to come to him."

The researchers noticed that many of these watering hole attacks used more than one zero-day exploit. What's more, the timing of these changes was suspicious. As soon as one zero-day exploit was identified, it would be replaced by one that had yet to be discovered. Other similarities included the malicious executable files used and the encryption in booby-trapped documents sent to victims in e-mail.

Perhaps the biggest link is the Elderwood platform. It included a document creation kit that made it easy to bundle specific exploit code and a specific piece of malware and embed it into an otherwise clean document file. Elderwood also included a shared Adobe Flash file that created the precise conditions in a targeted computer's memory required for an exploit to be successful. Other possible components may be tools for the automated creation of website accounts and registration of domain names, and an analysis platform for the huge amounts of data that is pilfered.

APTs: Not your father's hack attack

Google's disclosure in 2010 that it and more than a dozen other sensitive companies were penetrated by the sophisticated attackers cemented the security industry's use of the phrase advanced persistent threat. Although many, this reporter included, once viewed it as a largely meaningless buzz phrase, APTs are useful in distinguishing these types of attacks from more common crime-motivated exploits. The chief difference is this: crime-based attacks, which use malware to obtain online banking passwords or credit card data, are opportunistic, so they're directed at everyone. Defending against them mainly involves having security that's better than other people on the Internet.

APTs, by contrast, are directed at a specific person or organization that has unique assets. If attackers don't succeed against a specific target with one campaign, they'll direct a new campaign at the same target and hope for better results. They will repeat the process until they succeed. That makes defending against such attacks significantly harder.

Friday's report from Symantec, which showed that the same attackers who pierced the defenses of Google three years ago are using a virtually unlimited supply of zero-days to penetrate new victims, only bolsters the view that APTs are a serious problem with no easy solutions.

Enough with the hyperbole in the headlines. We get plenty of that from the crap US media who forgot how to be objective and straight-talking journalists a couple decades ago.

Hint: an attack (of any kind) is not "lethal" unless someone dies. No one has died in any hacking attacks I'm aware of, with the possible exception of Iranian nuclear scientists hanging around exploding centrifuges.

Lethal

[lee-thuhl] adjective

1. of, pertaining to, or causing death; deadly; fatal: a lethal weapon; a lethal dose.2. made to cause death: a lethal chamber; a lethal attack.3. causing great harm or destruction: The disclosures were lethal to his candidacy.

And no, it wasn't 3 either (lethal to Google). Not even close.

how do you know it didn't cause great harm? i would say forcing google to swtich from windows to linux/OSX was pretty impressive.

This is exactly the reason why no company should use close-source software. I'm sure most of those "undocumented" zero-day exploits in Adobe and Microsoft software were documented in their internal bug reports just like all of the previous zero-day exploits in Java by Oracle.

I wonder when they're going to learn their lesson and stop using proprietary software.

Yes, open source software has no bugs, flaws, or security holes in any of it. If there were, they would be found instantly, and also instantly be fixed so this kind of thing can never, ever happen in open source software.

How many of the critical security holes and zero-day exploits in proprietary software for the last year were left untreated for months or years until someone used them?

>Because critical security issues are never distributed for 18 months in open source projects;>http://www.debian.org/security/2008/dsa-1571

What a great justificiation. I hope you use that one at work (well, Johnny surfs the net all day at work, so why shouldn't I?) - because you'd end up being sacked from your job in about 5 seconds.

And that's the editor's pick of comments?

Seems like a perfect retort to me. Rex86 is over there talking about how superior open source and how you would never have these kinds of problems and he comes with proof that security exploits can exist in ANY FORM OF SOFTWARE. He's not posting the link to point over to Debian to say; "See, he's doing it too! That means it's OK for me!" He's posting it to say, that no matter what form of software development you choose - proprietary or open source - you can still end up with massive, long-term exploits. Don't get your panties in such a twist.

It's your website but I'd prefer editor comment picks actually had something insightful about the content not defense or offense taken from the headline wording. It really takes away from the main topic.

I was reading the RSS feed and clicked through to complain about the word "lethal", only to find the title was already changed on the site, and a flame war was aleady boiling over that very topic! Despite fixing the misleading title, the editor still chose to favorite only of the comments which support the usage of that word.

Two things:

1. "Lethal" literally means death in the US. We sometimes use it in hyperbole, as in "he has a lethal 3 pointer" or "those comments proved lethal for his campaign, but we must be clear that is an intentional exaggeration for effect. And even in those cases, the term "lethal" implies a metahorical death, I.e. one good player killing the other team's chances of winning, or a poorly phrased comment ending a politician's campaign.

Furthermore, using hyperbole is typically reserved for editorializing and for fiction, whereas objective journalism should use clear and concise words. Ars usually has very careful, intelligent writing, and when I saw the word "lethal" in the title, I assumed that it was meant literally. People are free to write what they want, but I like Ars because they tend to be precise, rational, and objective,,, hyperbole is neither precise nor objective.

If the New York Times ran a headline that said, "Pfizer's New Drug Proves Lethal," and then the story was about a safe drug that was a commercial flop, their readers would rightly object to the sensationalist headline, even though you can find some definition of the word "lethal" that would fit that headline.

2. As somebody who works in cyber security, my single biggest gripe day in and day out is the sensationalism and fear that media, government, and vendors drum up to drive their own agendas. In order to improve our cyber security posture, we need to understand what the threats actually are and not worry about threats that aren't there. The persistent attacks against Google, the sophistication of those attacks, and the implications for state-sponsored cyber terrorism are already alarming enough. Ars does not need to artificially inject more emotion into their coverage...

A headline should always stand on its own, and that one, as previously written didn't. Ultimately, use of the word lethal was ambiguous, since it certainly raised the possibility of death in the mind of the reader. That was the thinking behind the decision to change the word to potent, which is more accurate and OMFG sounding anyway.

68 Reader Comments

And one of the biggest problems here is that, if this is indeed the Chinese government, asking the US government for help, given their enormous number of black ops and non-supervised foreign adventurism, is probably almost as risky. I sure as heck wouldn't knowingly invite the Feds into any network I controlled; getting rid of them again might be even harder than the Chinese.

Plus, we don't even know if it's the Chinese. It could be false-flag operations. It could even be the US itself.

Enough with the hyperbole in the headlines. We get plenty of that from the crap US media who forgot how to be objective and straight-talking journalists a couple decades ago.

Hint: an attack (of any kind) is not "lethal" unless someone dies. No one has died in any hacking attacks I'm aware of, with the possible exception of Iranian nuclear scientists hanging around exploding centrifuges.

Lethal

[lee-thuhl] adjective

1. of, pertaining to, or causing death; deadly; fatal: a lethal weapon; a lethal dose.2. made to cause death: a lethal chamber; a lethal attack.3. causing great harm or destruction: The disclosures were lethal to his candidacy.

Although many, this reporter included, once viewed it as a largely meaningless buzz phrase, APTs are useful in distinguishing these types of attacks from more common crime-motivated exploits.

Directed versus general attack seems to do the same thing. But everyone loves acronyms

Quote:

Hint: an attack (of any kind) is not "lethal" unless someone dies. No one has died in any hacking attacks I'm aware of, with the possible exception of Iranian nuclear scientists hanging around exploding centrifuges.

Another reminder to all Windows users that if you want to be able to defend against 0-day exploits, you should be using EMET with all internet facing applications enabled within the program. The following line is pretty good proof as to the benefits of running DEP, SEHOP and ASLR on such programs.

Quote:

Elderwood also included a shared Adobe Flash file that created the precise conditions in a targeted computer's memory required for an exploit to be successful.

Would have been completely mitigated with EMET enabled and running Flash with ASLR and other memory protections.

Enough with the hyperbole in the headlines. We get plenty of that from the crap US media who forgot how to be objective and straight-talking journalists a couple decades ago.

Hint: an attack (of any kind) is not "lethal" unless someone dies. No one has died in any hacking attacks I'm aware of, with the possible exception of Iranian nuclear scientists hanging around exploding centrifuges.

Lethal

[lee-thuhl] adjective

1. of, pertaining to, or causing death; deadly; fatal: a lethal weapon; a lethal dose.2. made to cause death: a lethal chamber; a lethal attack.3. causing great harm or destruction: The disclosures were lethal to his candidacy.

And no, it wasn't 3 either (lethal to Google). Not even close.

how do you know it didn't cause great harm? i would say forcing google to swtich from windows to linux/OSX was pretty impressive.

This is exactly the reason why no company should use close-source software. I'm sure most of those "undocumented" zero-day exploits in Adobe and Microsoft software were documented in their internal bug reports just like all of the previous zero-day exploits in Java by Oracle.

I wonder when they're going to learn their lesson and stop using proprietary software.

This is exactly the reason why no company should use close-source software. I'm sure most of those "undocumented" zero-day exploits in Adobe and Microsoft software were documented in their internal bug reports just like all of the previous zero-day exploits in Java by Oracle.

I wonder when they're going to learn their lesson and stop using proprietary software.

Yes, open source software has no bugs, flaws, or security holes in any of it. If there were, they would be found instantly, and also instantly be fixed so this kind of thing can never, ever happen in open source software.

And one of the biggest problems here is that, if this is indeed the Chinese government, asking the US government for help, given their enormous number of black ops and non-supervised foreign adventurism, is probably almost as risky. I sure as heck wouldn't knowingly invite the Feds into any network I controlled; getting rid of them again might be even harder than the Chinese.

Plus, we don't even know if it's the Chinese. It could be false-flag operations. It could even be the US itself.

I think the targets speak pretty clearly. Iranian operations being targeted? THAT is the US and Israel. Humans rights activists? Amnesty International? Hmmm... who has motive to hit them? Sorry, this is China, no doubt in my mind.

Most significant about the group is "seemingly an unlimited number of zero-day exploits," which refer to vulnerabilities in widely used software that are exploited before there's public knowledge that they exist.

While it is very frightening that so many as yet unknown vulnerabilities exist in such common software, I find it more frightening that someone somewhere not only has such a seemingly endless supply of zero-day exploits, but that they are being compensated so well that they are not selling the information or skills to other black hat or white hat organizations.

Whoever is bankrolling this operation must have some serious cash laying around to be able to keep the exploits and the exploit creators in their "employ".

I think "lethal" simply implies that these were highly successful attacks on their targets. It's no different then saying that Kobe Bryant is a "lethal" scorer.

Ahh! Thank you for restoring my hope for Humanity! I don't appreciate Nazi word/grammar trendies that seem to run forums these days, it's very similar to those who run to a news post to proclaim themselves the "1st Post!", pointless and annoying.

Who's to say it wasn't lethal for the humanitarians in China? Do we know exactly what took place after these hacks happened? Nope, because China censors all forms of media.

Deep Freeze is a way to keep pretty safe I think. Not going to do anything for the exploits though...

This is exactly the reason why no company should use close-source software. I'm sure most of those "undocumented" zero-day exploits in Adobe and Microsoft software were documented in their internal bug reports just like all of the previous zero-day exploits in Java by Oracle.

I wonder when they're going to learn their lesson and stop using proprietary software.

Yes, open source software has no bugs, flaws, or security holes in any of it. If there were, they would be found instantly, and also instantly be fixed so this kind of thing can never, ever happen in open source software.

How many of the critical security holes and zero-day exploits in proprietary software for the last year were left untreated for months or years until someone used them?

Most significant about the group is "seemingly an unlimited number of zero-day exploits," which refer to vulnerabilities in widely used software that are exploited before there's public knowledge that they exist.

While it is very frightening that so many as yet unknown vulnerabilities exist in such common software, I find it more frightening that someone somewhere not only has such a seemingly endless supply of zero-day exploits, but that they are being compensated so well that they are not selling the information or skills to other black hat or white hat organizations.

Whoever is bankrolling this operation must have some serious cash laying around to be able to keep the exploits and the exploit creators in their "employ".

The manner in which they are using their exploits is also especially interesting. They are apparently knowledgeable or close enough to whomever to know that an exploit is likely to be discovered. So they use them simultaneously which demonstrates a great deal of restraint and coordination.

I presume they are gaining something much more valuable by acting in this way then if they were simply stealing identity information/passwords/credit cards.

This is exactly the reason why no company should use close-source software. I'm sure most of those "undocumented" zero-day exploits in Adobe and Microsoft software were documented in their internal bug reports just like all of the previous zero-day exploits in Java by Oracle.

I wonder when they're going to learn their lesson and stop using proprietary software.

Yes, open source software has no bugs, flaws, or security holes in any of it. If there were, they would be found instantly, and also instantly be fixed so this kind of thing can never, ever happen in open source software.

How many of the critical security holes and zero-day exploits in proprietary software for the last year were left untreated for months or years until someone used them?

How did China manage to be excluded from this article? While mentioning that these attacks may be state sponsored, I would have thought it difficult to link anything to the events of three years ago without mentioning the possible involvement of China, which was by far the most discussed aspect at the time.

Judging by the targets this is definitely a Chinese operation. With them hitting and penetrating our best commercial companies, defence contractors and human rights organizations it won't be long before they're destroying our livelihoods along with our freedoms. Time to bomb them right back in cyberspace; offense there is always easier than defense. This is an undeclared war and we're not doing much about it.

>Because critical security issues are never distributed for 18 months in open source projects;>http://www.debian.org/security/2008/dsa-1571

What a great justificiation. I hope you use that one at work (well, Johnny surfs the net all day at work, so why shouldn't I?) - because you'd end up being sacked from your job in about 5 seconds.

And that's the editor's pick of comments?

Seems like a perfect retort to me. Rex86 is over there talking about how superior open source and how you would never have these kinds of problems and he comes with proof that security exploits can exist in ANY FORM OF SOFTWARE. He's not posting the link to point over to Debian to say; "See, he's doing it too! That means it's OK for me!" He's posting it to say, that no matter what form of software development you choose - proprietary or open source - you can still end up with massive, long-term exploits. Don't get your panties in such a twist.

It's your website but I'd prefer editor comment picks actually had something insightful about the content not defense or offense taken from the headline wording. It really takes away from the main topic.

It's your website but I'd prefer editor comment picks actually had something insightful about the content not defense or offense taken from the headline wording. It really takes away from the main topic.

Well if the telecommunication services in USA are attacked, and ISPs are attacked all of a sudden with 0 day vulnerabilities, and effectively bringing down cellular connectivity and Internet communications, well... that in itself can kill a lot of people as collateral damage. 911 isn't so easy to contact if there's no pay phones around anymore.

this is why you don't post things on a saturday afternoon, when the editor has apparently has had more than a few drinks to wash the week away

I kind of wonder with the business/financial goals of the attack if it isn't just a funded thing, buy up zero day exploits whenever they can. Grab a whole lot of info on big companies and play the stock market and it could be quite a business.

This is exactly the reason why no company should use close-source software. I'm sure most of those "undocumented" zero-day exploits in Adobe and Microsoft software were documented in their internal bug reports just like all of the previous zero-day exploits in Java by Oracle.

I wonder when they're going to learn their lesson and stop using proprietary software.

Yes, open source software has no bugs, flaws, or security holes in any of it. If there were, they would be found instantly, and also instantly be fixed so this kind of thing can never, ever happen in open source software.

How many of the critical security holes and zero-day exploits in proprietary software for the last year were left untreated for months or years until someone used them?

Yes, and for some reason those hackers are using previously "unknown" exploits. I have no idea why anyone would do that, when you have unfixed exploits that anyone can use. For some reason most of the worst attacks recently have happened because of huge gaping holes in closed source software.

Your argument is fundamentally wrong, because in all of the previous cases of hacked closed source software someone knew that those exploits existed and that someone did nothing to fix them.

Judging by the targets this is definitely a Chinese operation. With them hitting and penetrating our best commercial companies, defence contractors and human rights organizations it won't be long before they're destroying our livelihoods along with our freedoms. Time to bomb them right back in cyberspace; offense there is always easier than defense. This is an undeclared war and we're not doing much about it.

HA, thats a joke. Destroy your livelihoods and freedoms? LMAO OLOLOLOLOLOLOL, Good one. They dont need to do that. Your government and people like Bush are already doing a great job at that. Your bankers stole your livelihoods, as in the Fed and those that OWN it. And, Bush took away a good chunk of your freedoms with the Patriot Act. You have warrantless wiretapping, the FBI sidestepping privacy laws, the NSA tracking everyone. The only thing China is interested in doing is getting some military tech from the defense contractors so they might be able to defend against whatever attack the US might throw at them when they decide the time is right. When that happens, your government will declare martial law, and effectively take away ALL of your freedoms, whats left of them anyway. China has no need to do that.

It's your website but I'd prefer editor comment picks actually had something insightful about the content not defense or offense taken from the headline wording. It really takes away from the main topic.

That'll teach you to critique the commentary mechanics.

How it works is this: That the editorial staff just rolls a 1d10 (10 is zero) for how many comments to pick and a 2d20 to pick the comment. It's science.

Usually on news threads finding a good comment is like dumpster diving for treasure.

I was reading the RSS feed and clicked through to complain about the word "lethal", only to find the title was already changed on the site, and a flame war was aleady boiling over that very topic! Despite fixing the misleading title, the editor still chose to favorite only of the comments which support the usage of that word.

Two things:

1. "Lethal" literally means death in the US. We sometimes use it in hyperbole, as in "he has a lethal 3 pointer" or "those comments proved lethal for his campaign, but we must be clear that is an intentional exaggeration for effect. And even in those cases, the term "lethal" implies a metahorical death, I.e. one good player killing the other team's chances of winning, or a poorly phrased comment ending a politician's campaign.

Furthermore, using hyperbole is typically reserved for editorializing and for fiction, whereas objective journalism should use clear and concise words. Ars usually has very careful, intelligent writing, and when I saw the word "lethal" in the title, I assumed that it was meant literally. People are free to write what they want, but I like Ars because they tend to be precise, rational, and objective,,, hyperbole is neither precise nor objective.

If the New York Times ran a headline that said, "Pfizer's New Drug Proves Lethal," and then the story was about a safe drug that was a commercial flop, their readers would rightly object to the sensationalist headline, even though you can find some definition of the word "lethal" that would fit that headline.

2. As somebody who works in cyber security, my single biggest gripe day in and day out is the sensationalism and fear that media, government, and vendors drum up to drive their own agendas. In order to improve our cyber security posture, we need to understand what the threats actually are and not worry about threats that aren't there. The persistent attacks against Google, the sophistication of those attacks, and the implications for state-sponsored cyber terrorism are already alarming enough. Ars does not need to artificially inject more emotion into their coverage...